Hacker News new | ask | show | jobs
by cyberax 41 days ago
I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"

I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".

I have a pre-written reply for these kinds of messages now.
3 comments
kube-system 41 days ago
Yeah, the signal to noise ratio on vulnerability reports is very weak, especially when the initial report withholds any detail.

I get tons of these messages too and the ones that do include details are the kind of junk you get from free "website vulnerability scanners" that are a bunch of garbage that means nothing -- "missing headers" for things I didn't set on purpose, "information disclosure vulnerabilities" for things that are intentionally there, etc... You can put google.com into these things and get dozens of results.

link
somewhatgoated 41 days ago
I run bug bounty for a fairly large OSS project and the amount of shitty/bad actor spam/beg bounties etc we get is huge. Like 95% of the emails to security@ are straight garbage
link
Galanwe 41 days ago
From the looks of it, they actually asked for a way to report.
link
bdangubic 41 days ago
email security@company
link
pcthrowaway 41 days ago
Sure that is perhaps a good way to inquire about the appropriate channels to disclose a security vulnerability, but email is not a secure communication method for sending the details about a security vulnerability
link
Terr_ 41 days ago
It's kind of insane to think that the state of email encryption is still so bad in The Future Year 2026.

No flying cars? Okay. Nobody traveled much beyond the orbit of the Moon? Dang. But email? We didn't even get reliable privacy separate from identity?

link
cyberax 41 days ago
> Nobody traveled much beyond the orbit of the Moon?

Oh, don't think that outer space will let you escape the misery of email:

> "I have two Microsoft Outlooks and neither one is working": Artemis II astronauts

link
bdangubic 41 days ago
start there and handle everything once you get in contact with appropriate people
link
cyberax 41 days ago
Yeah. I'm just saying how it could have been overlooked. Doesn't excuse it, though.
link